Meet The Blob: A Password-Stealing Email Threat You Must Not Ignore

This nasty email attack combines the dark world of phishing with the latest internet technology to bypass security protections and steal passwords. Meet The Blob, a password-stealing email threat that is leaving security experts sleepless at night.

The Blob refers to a type of blob URI (Universal Resource Identifier) used to distribute phishing pages through email inboxes. This legitimate internet technology has become the perfect tool for hackers to compromise user credentials and gain initial access to email accounts.

According to Jacob Malimban, a member of the Cofense Intelligence Team, "Blob URIs are generated by a browser to display and work with temporary data that only that browser can access." This means that blob URIs cannot be directly accessed over the internet like usual websites. However, this also makes it difficult for security defenses to identify and stop such attacks.

"Because the data is local to a client browser," Malimban explained, "blob URIs cannot be directly accessed over the internet like usual websites. The ultimate password-stealing phishing page is not accessible over the internet like other malicious sites, 'because the blob URI used to visit it is generated locally'."

This makes identifying and stopping such attacks harder than they should be, especially for those defenses using AI that have yet to learn "how to distinguish between legitimate and malicious blob URIs," Malimban warned.

How Does The Blob Attack Work?

The blob attack works by sending an email with a link to a site that uses blob URI. When the user clicks on the link, their browser generates a temporary blob URI that is used to access the phishing page. Since only the browser can access this data, the attacker cannot access it directly over the internet.

However, this also means that security defenses are unable to detect and block such attacks. As Malimban pointed out, "multiple campaigns are currently using the blob URI attack methodology." These campaigns often use social engineering tactics to lure users into clicking on the link.

How Can You Protect Yourself?

Despite the challenges posed by The Blob attack, there are steps you can take to protect yourself. If you receive an email with a link that starts with "blob:http://” or “blob:https://”, be on high alert for a potential phishing attack.

"Campaign lures for logging in include receiving an encrypted message, accessing your Intuit tax account," Malimban said, "and reviewing an alert from a financial institution." If you receive such an email, do not click on the link. Instead, report it to your email provider and security team immediately.

Remember, the best defense against The Blob attack is awareness. Be cautious when clicking on links in emails, especially those that start with "blob:".